Update 21/10/2024 — Following the hack in early October, the Internet Archive faces another security incident. Cybercriminals launched an email campaign following the new attack.
Several users who contacted the Internet Archive received an email last weekend. “It’s dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets,” the hacker said in the email. The cybercriminal claims he was able to obtain user data via a Zendesk token, which gives access to more than 800,000 support tickets. These could include tickets with general questions or removal requests.
The email passed all authentication checks, showing that it was sent via a Zendesk server. The user reported to BleepingComputer that a recipient was asked to upload files for personal identification. Depending on access to Zendesk’s API, the hacker might also have access to the attachments.
Original – Hacker posts notification on Archive.org: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened!”
The Internet Archive took steps to remove the notification quickly. It posted a new message stating that the site was temporarily offline. Since then, the website has returned to full operation. Interestingly, during the mitigation steps, Brewster Kahle, the founder of Archive.org, reported that a DDoS attack hit the platform. Behind this attack was said to be the hacker collective BlackMeta.
The hacker, meanwhile, had captured 31 million account details. In his original post, he referred to evidence on the website Have I Been Pwned, a database that can be used to check if personal data has been breached. Many malicious actors share stolen data with Have I Been Pwned so that affected end users can be notified.
Visible on Have I Been Pwned
Have I Been Pwned has since confirmed the leak to BleepingComputer. More than a week ago, the hacker shared a 6.4 GB SQL file containing the authentication information of registered members, including email addresses, names, timestamps of password changes, and hashed passwords.
The hack presumably took place on Sept. 28, as the last password was changed on that date. Indeed, the file contains 31 million unique e-mail addresses, confirms Have I Been Pwned. The data will soon be added to the database, allowing users to enter their e-mail address to check if they have been affected.
Tip: Millions of credentials for Facebook, eBay and Yahoo leaked